Kabisa Privacy Policy
Last updated: 15 July 2026
This Privacy Policy explains how Kabisa Electric Ltd. ("Kabisa", "we", "us"), and, for users in Kenya, its regional expansion entity Kabisa Kenya, collect, use, share, and protect your personal data when you use:
- the Kabisa consumer app (mobile and web) — finding chargers, starting and paying for charging sessions, and managing your account and vehicles;
- the Kabisa fleet app — for fleet managers and drivers whose vehicles are enrolled with a fleet;
- the Kabisa CPMS ("Charge Point Management System") — the console our staff and station-operator partners use to manage stations, sessions, and tickets;
- the gokabisa.com website;
(together, the "Services").
Kabisa is the data controller for the personal data described here. We are registered with the Rwanda National Cyber Security Authority (NCSA) as a data controller under Law No. 058/2021 of 13/10/2021 relating to the protection of personal data and privacy. In Kenya, the Services are operated by Kabisa Kenya, which complies with the Kenya Data Protection Act, 2019 and is registered with the Office of the Data Protection Commissioner (ODPC).
Contact / Data Protection Officer (DPO): Nicholas Hu — [email protected] Kabisa Electric Ltd. — Kabisa EV House, 1 KN 77 St, Kiyovu (below Camp Kigali), Kigali, Rwanda · Company ID 120732779 · Tel: 6420 / +250 793 897 974 Kabisa Kenya — Golf View Offices, Nairobi, Kenya
For how to exercise your rights step by step, see our Data Subject Rights page.
1. What we collect
We collect only what we need to run a charging network and let you pay for electricity:
- Account and profile — name, phone number, email address, and your sign-in identity (Google, Apple, or email and password). We never see or store your Google or Apple password.
- Vehicle details — make, model, number plate, connector type, and any RFID charging tags or AutoCharge vehicle identifiers you link to your account.
- Charging activity — charging sessions and charge detail records (CDRs): which station you used, when, how much energy you drew, and what it cost.
- Payments and wallet — wallet top-ups, charges, and refunds, together with the transaction reference returned by your payment provider (e.g. MTN Mobile Money or M-Pesa). We never store your mobile-money PIN or credentials — payment is authorised on your own phone with your provider, and we keep only the provider's transaction reference.
- Location — your position is used on demand to show nearby chargers on the map while you are using the App. We do not track your location in the background and we do not store a history of your movements.
- Support — messages and tickets you send us.
- Technical data — device type, app version, and security/access logs (e.g. sign-in events), used to keep accounts safe.
- Fleet users — if your employer manages your vehicle through the Kabisa fleet app, your fleet manager can see the vehicles, assignments, charging sessions, and consolidated billing for the fleet. Your employer is responsible for telling you how it uses that information.
- Driver-submitted station reports — if you report a station as offline/unavailable, suggest a correction to its listed information, or attach a photo, we store that report (and, if you're signed in, that it came from your account) so our staff can review and action it.
- CPMS staff/operator accounts — if you're a Kabisa employee or a station-operator partner with CPMS access, we collect your name, work email, role, and access/action logs (e.g. tariff changes, ticket resolutions) to run the console and keep it auditable.
We do not knowingly collect data from anyone under 18. The consumer- and driver-facing Services are for drivers and fleet operators; CPMS access is limited to Kabisa staff and station-operator partners.
2. Why we use it (purposes and legal bases)
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and secure your account | Account, technical data | Contract; legitimate interest (security) |
| Show nearby available chargers | On-demand location | Consent (device location permission) |
| Start, run, and bill charging sessions | Vehicle, charging activity, wallet | Contract |
| Process payments and top-ups | Payment references, wallet ledger | Contract; legal obligation (financial records) |
| Send service messages (e.g. charge complete, receipt) | Contact details | Contract |
| Marketing messages | Contact details | Separate opt-in consent — never bundled with signup; withdraw any time |
| Prevent fraud and abuse (e.g. SIM-swap protection, rate limits) | Technical data, access logs | Legitimate interest |
| Meet tax and accounting law | CDRs, wallet ledger | Legal obligation (RRA in Rwanda; KRA in Kenya) |
| Improve the Services | Aggregated, anonymised analytics | Legitimate interest |
3. Who we share it with
We do not sell your personal data. We share it only with:
- Payment providers (e.g. MTN Mobile Money, Safaricom M-Pesa) — to process the payment you initiate. They act under their own privacy policies.
- Roaming partners — if you charge on a partner's network (or a partner's customer charges on ours), the charge detail record for that session is exchanged with that partner over the OCPI roaming protocol so the session can be billed. CDRs shared this way contain the session and billing details, not your full profile.
- Service providers under data-processing agreements — our cloud hosting provider, SMS delivery provider, and payment aggregator. They may process data only on our instructions.
- Your fleet manager — for vehicles enrolled in a fleet (see section 1).
- Authorities — where the law requires it (e.g. tax authorities, a court order, or the NCSA/ODPC).
4. Where your data lives
Your data is hosted in Rwanda, or in a registered cross-border location in accordance with Rwandan law. Where personal data is transferred outside Rwanda (for example to a regional cloud data centre), the transfer is registered with the NCSA and protected by contractual safeguards. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), with encrypted in-region backups.
5. How long we keep it
| Data | Retention |
|---|---|
| One-time sign-in codes (OTP) | Minutes — deleted after single use |
| Security and access logs | 90 days to 1 year |
| Account and profile | Life of the account, plus a 30-day grace period after a deletion request |
| Charging sessions and CDRs | Kept as financial records — 10 years (Rwanda, RRA) / 5 years (Kenya, KRA) — and pseudonymised (unlinked from your identity) when you delete your account |
| Wallet ledger | Kept for financial integrity; unlinked from your identity on account deletion |
| Support tickets | 2 years |
| Analytics | Aggregated or anonymised; raw events no more than 14 months |
| Location | Not stored — used on demand for the map only |
6. Your rights
Under Rwanda's Law No. 058/2021 (and, in Kenya, the Data Protection Act 2019) you have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete data;
- Delete your account and personal data (see below);
- Object to or restrict certain processing, including withdrawing marketing consent at any time;
- Portability — receive the data you provided in a usable format;
- Complain to the supervisory authority: the NCSA in Rwanda, or the ODPC in Kenya.
To exercise any right, contact [email protected]. We respond within the timelines the law sets. See our Data Subject Rights page for the detailed how-to, response times, and identity-verification process.
Account deletion: you can delete your account in the App (Profile → Delete account) or by visiting gokabisa.com/delete-account. Deletion removes your profile and sign-in identity after a 30-day grace period. Charging and payment records that the law requires us to keep as financial records are retained but pseudonymised — they can no longer be linked to you.
7. Security
We protect your data with encryption in transit and at rest, short-lived access tokens stored in your device's secure keystore, rate limiting on sign-in codes, re-verification on new devices before wallet actions, and a payment PIN for higher-value actions. If a breach is likely to put your rights at risk, we will notify the NCSA within 48 hours (ODPC within 72 hours for Kenya) and affected users without undue delay.
8. Cookies and similar technologies
The gokabisa.com website and the web/CPMS versions of the Services use strictly-necessary local storage to keep you signed in and remember your language — no advertising or cross-site tracking cookies. See our Cookie Policy for the full list and how to manage them.
9. Changes to this policy
We will post any changes here and update the date above. For material changes we will notify you in the App or by message before they take effect.
10. Contact
Kabisa Electric Ltd. (trading as Kabisa) — Company ID 120732779 Kabisa EV House, 1 KN 77 St, Kiyovu (below Camp Kigali), Kigali, Rwanda Tel: 6420 / +250 793 897 974
Kabisa Kenya (regional expansion entity) — Golf View Offices, Nairobi, Kenya